[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: A couple of questions and concerns about Emacs network security

From: Jimmy Yuen Ho Wong
Subject: Re: A couple of questions and concerns about Emacs network security
Date: Thu, 5 Jul 2018 14:50:10 +0100
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.9.0

I'm currently doing a second pass for my patch for bug#31946. I also
have a preliminary OCSP patch. Emacs network security is going to be a
lot better soon, I promise. Meanwhile, GnuTLS doesn't seem to have
support Certificate Transparency (gnutls#232), but you could export the
extension as DER bytes, so feel free to figure out how to deal with that
in elisp.

On 05/07/2018 14:33, Perry E. Metzger wrote:
> Old thread, but I thought I'd reply on it.
> On Sat, 23 Jun 2018 12:23:31 +0200 Lars Ingebrigtsen <address@hidden>
> wrote:
>> For those who don't know what this is: Some browsers now ship with
>> built-in lists of certificate hashes, so if you're visiting that
>> site and presented with a different than expected certificate,
>> you'll know that somebody else has issued a certificate for the
>> site, and somebody has hijacked the connection.
>> Or, perhaps, that they just lost the private key and had to
>> generate a new certificate and now, oops, everybody that uses the
>> browsers with the built-in list will be unable to visit the site.
> What you depict there never happens. People don't lose keys in such
> circumstances.
> Pinning is what is done by sites like gmail to prevent third world
> dictatorships from using stolen certificate credentials to spy on
> their citizens. People who have been victims of this have had their
> email read, been arrested by state security forces for dissent, and
> have been tortured to death for lack of certificate pinning working
> in their browsers.
> This is a matter of life and death for many people.
>> do this via ELPA, I think.  Whether it's worth doing is another
>> issue; I think the jury is still out on that one...
> Do you think it's worth keeping people from quite literally being
> tortured to death?
> For most of the secure HTTP stuff we've been discussing, I would far
> rather be inconvenienced here and there than know my slight extra
> convenience was being paid for in human blood.
> Perry

reply via email to

[Prev in Thread] Current Thread [Next in Thread]